Detectionhightest
Metasploit Or Impacket Service Installation Via SMB PsExec
Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Bartlomiej Czyz, RelativityCreated Thu Jan 21Updated Wed Oct 056fb63b40-e02a-403e-9ffd-3bcc1d749442windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Definition
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
Detection Logic
Detection Logic2 selectors
detection:
selection:
EventID: 4697
ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
ServiceStartType: 3 # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
ServiceType: '0x10'
filter:
ServiceName: 'PSEXESVC'
condition: selection and not filterFalse Positives
Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
References
MITRE ATT&CK
Related Rules
Derived
Rule not found1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
Rule Metadata
Rule ID
6fb63b40-e02a-403e-9ffd-3bcc1d749442
Status
test
Level
high
Type
Detection
Created
Thu Jan 21
Modified
Wed Oct 05
Author
Path
rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
Raw Tags
attack.lateral-movementattack.t1021.002attack.t1570attack.executionattack.t1569.002